How to Choose a Secure Password

Google Doc Link: https://docs.google.com/document/d/1_JYcmFvAC3HWDWYh4bfZyEd0vtDvomnSYrggzL73P-8/edit?usp=sharing

Basics of Choosing and Storing a Secure Password

Never, ever share your passwords with anyone else.

Never use the word “Admin”, your real name, or the name of the website as your username. Choose something unique that is not a real word, like “Superduperuser” or “Fancysammy”, or even a nonsense combination of letters and numbers, like “POu658OD&rdO”, because it will be much harder for a hacker to guess.

If you must write your password down somewhere, please store it in a very secure place. See below for more details.

Passwords should be at least 12-16 characters long whenever possible.

Good passwords contain all of the following: capital letters, lower case letters, numbers, and symbols (like & * ! : + or >) and are completely random (example: j*^pUTVp;UTFP85dfP*Tf). Passphrases are also an interesting solution to the problem. See below for more information.

Do not use any real words in any language as part of your password, unless you are using a complex passphrase, which is a technique described below.

It is a good idea to change your passwords on all of your accounts at least once a year, if not every few months. A good way to remember to do this is setting up a recurring calendar reminder for yourself. I use Google Calendar to remind me to change my password regularly – it’s easy and free to use.

Never use the same password for more than one account. Using different passwords for every account is called “password separation”.

What are Passphrases?

Passphrases are a series of actual words that are chosen randomly that create a password that is easier to remember, but hard for a hacker to guess or use software to crack.

Passphrases are starting to be considered better than random bunches of numbers, letters, and punctuation, simply because they are easier for people to remember, and they tend to be really long, which adds to the difficulty for a hacker to guess with their nasty software.

Here are some examples of good passphrases (they still should include uppercase and lowercase letters, numbers, and punctuation):

Holidaychocolate4lizardtree!!!

306Lightningstoolfrench?Cab

Hope(yo)Laser1000Journal

Notice that none of these individual words chosen in passphrases have any relation to one another. Don’t pick words that are often associated with one another, like “egg” and “crack” – those are too easy for hacker software to guess.

Here’s a method of selecting passphrases that I invented and that I think might be really useful:

Select a classic novel or a popular scientific PDF that is available online (for example, “War and Peace”). This will assure you that you can refer to this document anytime. If you are extra paranoid (recommended!), pick a weird book in your home.

Select a chapter or section of that writing and create a rule for selecting your words from it. Here are some examples:

Second word of the second paragraph of every chapter (up to four words).

Every word that begins with a certain letter in the first paragraph of the book.

Then add at least one number somewhere.

Then add at least one punctuation mark somewhere.

This passphrase creation technique is especially good because it is really random and you always have access to it, without writing anything down. You’re welcome! :)

Here’s another fun way to choose a password – pretend your keyboard is a piano and play a song on it! Helps if you are a piano player. I found this answer on Quora.

How to Record and Secure Your Password

If you have a great memory, you will just remember it. Most of us need help. Here are my suggestions.

Find a system that don’t require you to write anything down in order to remember it. Passphrases and meaningful abbreviated alphanumeric terms are really helpful for this. The upside is that if you don’t write it down, it’s really hard for anyone else to seal it from you or hack it. The downside is that you have to remember how you set this up.

Use password manager software. These are secure online software systems that secure all of your passwords behind one master password that you use to access them.

Remember that even this software is not invincible against hackers, so if they ever are able to get your master password, they will have access to everything else. However, they seem like a very smart way to go overall if you need to write your passwords down somewhere safe. LastPass seems to be the best one out there so far: https://lastpass.com

Read more about password managers here: https://ithemes.com/2017/09/20/why-you-should-use-password-manager

Use another secure storage system, perhaps Google Docs or Dropbox (something behind a password) to record your passwords. The upside of this method is that your passwords are easily accessible in a system you are already used to using. The downside is that if anyone ever gets into your Google Docs or Dropbox account, they will have access to everything else – this is basically the same risk as using password manager software, but slightly riskier because hackers target email addresses like Gmail more frequently in their attacks.

How to Check Your Password Security

Okay, password security is kind of boring but it is important. If you want a chuckle AND to check to see how secure your password is, check out this website :)
http://www.trypap.com

Two Factor Authentication

Two factor authentication means that when you try to log into an account with a new device (phone, computer, etc.) you will be sent a text message with a temporary numerical password that you have to type into your service platform (like Gmail, Facebook, Twitter, LastPass, etc.) before you can access your account from that new device. This means that nobody else can log into your account without having access to your phone. This additional layer of security is extremely efficient, especially because you have a password on your phone too, right?

The only drawback of using two factor authentication is that if you happen to lose your phone, it takes about 3-5 days on most systems to work with them to deactivate two factor authentication.

I recommend that you use two factor authentication on your most important accounts, like your email, web hosting, and facebook account.

Other Concerns

If something were to ever happen to you, what is your strategy for letting your loved ones understand what to do with your digital assets? I think that the best strategy is giving two different people that you trust (family members from different sides of your family are my recommendation) halves of a master password to access your most important information about your digital assets. If something were to happen to you, they could combine their halves of your master password to access your detailed documentation, as well as your digital will, if you have one.

Facebook also allows you to have a “Legacy Contact” in case of that one thing that eventually happens to all of us. Go set your Legacy Contact right now.

Background Information

Here are some other resources if you are interested in finding out more about safe passwords and why they are so important:

https://www.grc.com/haystack.htm

https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html

https://haveibeenpwned.com

http://www.whatsmypass.com/the-top-500-worst-passwords-of-all-time

https://www.quora.com/What-is-the-most-unusual-password-you-have-ever-seen

Other Resources About Digital Security

These guides are excellent resources on DIY digital security that go beyond just having good passwords. These are excellent resources to read that are written in simple language. Please share them widely!

https://decentsecurity.com
https://hackblossom.org/cybersecurity

How a Password Manager Saves You Time

World Password Day is May 5th of each year. Why not set yourself a calendar reminder to change all of your passwords on May 5th?

About Webmistress

Webmistress has created 11 entries.